floxif | 1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
Size

161KB
MD5

5d41349e1ffbcf6a9b28bb26ca269990
SHA1

003990114fe981a7986460521044a00953194697
SHA256

1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209
SHA512

b58240d7aca9324cddeb05858444984e228219adfee79e9dd46ba000960d4920500f86d79c8b9435f2bacf29170311af455a35b66fe39b9952837bcdbde377a2
SSDEEP

3072:MQHcnrJXSUBz2+KWaxXLBUVfqHnpQuF4BOoTjcIDiFx7A:0V8+n0XdUVApQDTcXFx7A

Score

10^/10

floxif backdoor discovery persistence privilege_escalation trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x0007000000012117-2.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000012117-2.dat	acprotect

Executes dropped EXE 64 IoCs

pid	Process
1948	explorer.exe
2964	explorer.exe
1936	explorer.exe
1888	explorer.exe
792	explorer.exe
2252	explorer.exe
1688	explorer.exe
1908	explorer.exe
320	smss.exe
2780	explorer.exe
2484	smss.exe
2804	explorer.exe
632	explorer.exe
1276	smss.exe
664	explorer.exe
2216	explorer.exe
2976	smss.exe
2876	explorer.exe
1904	explorer.exe
2316	explorer.exe
1728	explorer.exe
1540	smss.exe
1676	explorer.exe
1480	explorer.exe
1668	explorer.exe
624	explorer.exe
2544	explorer.exe
1648	smss.exe
2636	explorer.exe
2292	explorer.exe
2672	explorer.exe
2324	explorer.exe
2688	smss.exe
1856	explorer.exe
2564	explorer.exe
1504	explorer.exe
1120	explorer.exe
904	explorer.exe
2412	explorer.exe
2136	explorer.exe
2264	smss.exe
2012	explorer.exe
1724	explorer.exe
2648	explorer.exe
2680	explorer.exe
324	explorer.exe
1476	explorer.exe
996	explorer.exe
2104	smss.exe
1608	explorer.exe
2884	explorer.exe
1864	explorer.exe
948	explorer.exe
2208	explorer.exe
1056	explorer.exe
2332	smss.exe
2548	explorer.exe
2740	explorer.exe
2024	explorer.exe
2428	explorer.exe
2968	smss.exe
1948	explorer.exe
112	explorer.exe
1712	explorer.exe

Loads dropped DLL 64 IoCs

pid	Process
2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
1864	arp.exe
2284	arp.exe
2716	arp.exe
2768	arp.exe
2704	arp.exe
2324	arp.exe
2192	arp.exe
2812	arp.exe
2752	arp.exe
2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
2964	explorer.exe
2964	explorer.exe
2964	explorer.exe
1936	explorer.exe
2232	arp.exe
1936	explorer.exe
1936	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
792	explorer.exe
792	explorer.exe
792	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
1688	explorer.exe
1688	explorer.exe
1688	explorer.exe
1908	explorer.exe
2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
320	smss.exe
1908	explorer.exe
1908	explorer.exe
2780	explorer.exe
1948	explorer.exe
1948	explorer.exe
2484	smss.exe
320	smss.exe
320	smss.exe
2804	explorer.exe
2780	explorer.exe
2780	explorer.exe
632	explorer.exe
2964	explorer.exe
2964	explorer.exe
1276	smss.exe
2484	smss.exe
2484	smss.exe
664	explorer.exe
2804	explorer.exe
2804	explorer.exe
2216	explorer.exe
1936	explorer.exe
1936	explorer.exe
2976	smss.exe
632	explorer.exe
632	explorer.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\z:	smss.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\y:	smss.exe
File opened (read-only)	\??\t:	smss.exe
File opened (read-only)	\??\x:	smss.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\u:	smss.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\e:	smss.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\h:	smss.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\s:	smss.exe
File opened (read-only)	\??\g:	smss.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\h:	smss.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\e:	smss.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\j:	smss.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\p:	smss.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\h:	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
File opened (read-only)	\??\h:	smss.exe
File opened (read-only)	\??\p:	smss.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\g:	smss.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\t:	smss.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\t:	smss.exe
File opened (read-only)	\??\s:	smss.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe

Network Service Discovery 1 TTPs 9 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2704	arp.exe
2284	arp.exe
2752	arp.exe
2716	arp.exe
2768	arp.exe
1864	arp.exe
2324	arp.exe
2812	arp.exe
2192	arp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2696-0-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/files/0x0007000000012117-2.dat	upx
behavioral1/memory/2696-4-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/1864-10-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/1864-12-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2284-14-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2704-22-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2192-25-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2324-24-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2768-21-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2716-20-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2752-29-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2812-28-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2768-35-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2284-33-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2752-31-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2716-37-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2324-40-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2704-39-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2812-41-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2192-43-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/files/0x0007000000016c4a-46.dat	upx
behavioral1/memory/2696-56-0x00000000033C0000-0x0000000003418000-memory.dmp	upx
behavioral1/memory/1948-60-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2696-59-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2696-62-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/1948-63-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/1948-69-0x0000000002740000-0x0000000002798000-memory.dmp	upx
behavioral1/memory/2964-73-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/1948-74-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1948-76-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/1936-85-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/1936-83-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2232-87-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2696-90-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2964-92-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2964-96-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/1888-104-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/1936-103-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2964-109-0x0000000000560000-0x00000000005B8000-memory.dmp	upx
behavioral1/memory/1936-112-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/792-123-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/1888-120-0x0000000001D90000-0x0000000001DE8000-memory.dmp	upx
behavioral1/memory/2696-128-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/1888-129-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1948-132-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2252-138-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/1888-134-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/792-142-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1888-144-0x0000000001D90000-0x0000000001DE8000-memory.dmp	upx
behavioral1/memory/1688-155-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/1688-154-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2252-153-0x0000000000560000-0x00000000005B8000-memory.dmp	upx
behavioral1/memory/792-151-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2252-159-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1908-169-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2252-166-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/792-164-0x0000000000580000-0x00000000005D8000-memory.dmp	upx
behavioral1/memory/2696-171-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2252-172-0x0000000000560000-0x00000000005B8000-memory.dmp	upx
behavioral1/memory/320-187-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/320-186-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1688-183-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2696-182-0x0000000003A60000-0x0000000003AB8000-memory.dmp	upx

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	explorer.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	explorer.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	explorer.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	smss.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	explorer.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	explorer.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	explorer.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	smss.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	explorer.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	explorer.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	smss.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	explorer.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	explorer.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	explorer.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	smss.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	explorer.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	explorer.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	explorer.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	explorer.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	smss.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	explorer.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	explorer.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
1948	explorer.exe
2964	explorer.exe
2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
1936	explorer.exe
1888	explorer.exe
2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
792	explorer.exe
792	explorer.exe
2252	explorer.exe
2252	explorer.exe
1688	explorer.exe
1688	explorer.exe
1908	explorer.exe
320	smss.exe
320	smss.exe
2780	explorer.exe
2484	smss.exe
2804	explorer.exe
632	explorer.exe
1276	smss.exe
664	explorer.exe
2216	explorer.exe
2976	smss.exe
2876	explorer.exe
1904	explorer.exe
2316	explorer.exe
1728	explorer.exe
1540	smss.exe
1676	explorer.exe
1480	explorer.exe
1668	explorer.exe
624	explorer.exe
1648	smss.exe
1480	explorer.exe
2636	explorer.exe
2292	explorer.exe
2672	explorer.exe
2324	explorer.exe
2688	smss.exe
1856	explorer.exe
2292	explorer.exe
2564	explorer.exe
1504	explorer.exe
1120	explorer.exe
904	explorer.exe
2412	explorer.exe
2136	explorer.exe
2264	smss.exe
2012	explorer.exe
1724	explorer.exe
2680	explorer.exe
2648	explorer.exe
2136	explorer.exe
324	explorer.exe
1476	explorer.exe
996	explorer.exe
2104	smss.exe
1608	explorer.exe
1608	explorer.exe
2884	explorer.exe
2884	explorer.exe
1864	explorer.exe
1864	explorer.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
480	Process not Found
480	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
Token: SeDebugPrivilege	1864	arp.exe
Token: SeLoadDriverPrivilege	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
Token: SeDebugPrivilege	2704	arp.exe
Token: SeDebugPrivilege	2284	arp.exe
Token: SeDebugPrivilege	2324	arp.exe
Token: SeDebugPrivilege	2716	arp.exe
Token: SeDebugPrivilege	2768	arp.exe
Token: SeDebugPrivilege	2192	arp.exe
Token: SeDebugPrivilege	2812	arp.exe
Token: SeDebugPrivilege	2752	arp.exe
Token: SeDebugPrivilege	1948	explorer.exe
Token: SeLoadDriverPrivilege	1948	explorer.exe
Token: SeLoadDriverPrivilege	2964	explorer.exe
Token: SeDebugPrivilege	2964	explorer.exe
Token: SeLoadDriverPrivilege	1936	explorer.exe
Token: SeDebugPrivilege	1936	explorer.exe
Token: SeLoadDriverPrivilege	1888	explorer.exe
Token: SeDebugPrivilege	1888	explorer.exe
Token: SeLoadDriverPrivilege	792	explorer.exe
Token: SeDebugPrivilege	792	explorer.exe
Token: SeLoadDriverPrivilege	2252	explorer.exe
Token: SeDebugPrivilege	2252	explorer.exe
Token: SeLoadDriverPrivilege	1688	explorer.exe
Token: SeDebugPrivilege	1688	explorer.exe
Token: SeLoadDriverPrivilege	1908	explorer.exe
Token: SeDebugPrivilege	1908	explorer.exe
Token: SeDebugPrivilege	320	smss.exe
Token: SeLoadDriverPrivilege	320	smss.exe
Token: SeLoadDriverPrivilege	2780	explorer.exe
Token: SeDebugPrivilege	2780	explorer.exe
Token: SeLoadDriverPrivilege	2484	smss.exe
Token: SeDebugPrivilege	2484	smss.exe
Token: SeLoadDriverPrivilege	2804	explorer.exe
Token: SeDebugPrivilege	2804	explorer.exe
Token: SeLoadDriverPrivilege	632	explorer.exe
Token: SeDebugPrivilege	632	explorer.exe
Token: SeLoadDriverPrivilege	1276	smss.exe
Token: SeDebugPrivilege	1276	smss.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeLoadDriverPrivilege	664	explorer.exe
Token: SeLoadDriverPrivilege	2216	explorer.exe
Token: SeDebugPrivilege	2216	explorer.exe
Token: SeLoadDriverPrivilege	2976	smss.exe
Token: SeDebugPrivilege	2976	smss.exe
Token: SeDebugPrivilege	2876	explorer.exe
Token: SeLoadDriverPrivilege	2876	explorer.exe
Token: SeLoadDriverPrivilege	1904	explorer.exe
Token: SeDebugPrivilege	1904	explorer.exe
Token: SeLoadDriverPrivilege	2316	explorer.exe
Token: SeDebugPrivilege	2316	explorer.exe
Token: SeLoadDriverPrivilege	1728	explorer.exe
Token: SeDebugPrivilege	1728	explorer.exe
Token: SeLoadDriverPrivilege	1540	smss.exe
Token: SeDebugPrivilege	1540	smss.exe
Token: SeLoadDriverPrivilege	1676	explorer.exe
Token: SeDebugPrivilege	1676	explorer.exe
Token: SeLoadDriverPrivilege	1480	explorer.exe
Token: SeDebugPrivilege	1480	explorer.exe
Token: SeLoadDriverPrivilege	1668	explorer.exe
Token: SeDebugPrivilege	1668	explorer.exe
Token: SeLoadDriverPrivilege	624	explorer.exe
Token: SeDebugPrivilege	624	explorer.exe
Token: SeLoadDriverPrivilege	1648	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 1864	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	30
PID 2696 wrote to memory of 1864	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	30
PID 2696 wrote to memory of 1864	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	30
PID 2696 wrote to memory of 1864	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	30
PID 2696 wrote to memory of 2704	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	32
PID 2696 wrote to memory of 2704	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	32
PID 2696 wrote to memory of 2704	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	32
PID 2696 wrote to memory of 2704	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	32
PID 2696 wrote to memory of 2284	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	33
PID 2696 wrote to memory of 2284	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	33
PID 2696 wrote to memory of 2284	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	33
PID 2696 wrote to memory of 2284	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	33
PID 2696 wrote to memory of 2324	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	34
PID 2696 wrote to memory of 2324	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	34
PID 2696 wrote to memory of 2324	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	34
PID 2696 wrote to memory of 2324	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	34
PID 2696 wrote to memory of 2752	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	36
PID 2696 wrote to memory of 2752	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	36
PID 2696 wrote to memory of 2752	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	36
PID 2696 wrote to memory of 2752	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	36
PID 2696 wrote to memory of 2716	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	37
PID 2696 wrote to memory of 2716	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	37
PID 2696 wrote to memory of 2716	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	37
PID 2696 wrote to memory of 2716	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	37
PID 2696 wrote to memory of 2812	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	38
PID 2696 wrote to memory of 2812	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	38
PID 2696 wrote to memory of 2812	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	38
PID 2696 wrote to memory of 2812	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	38
PID 2696 wrote to memory of 2192	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	42
PID 2696 wrote to memory of 2192	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	42
PID 2696 wrote to memory of 2192	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	42
PID 2696 wrote to memory of 2192	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	42
PID 2696 wrote to memory of 2768	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	43
PID 2696 wrote to memory of 2768	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	43
PID 2696 wrote to memory of 2768	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	43
PID 2696 wrote to memory of 2768	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	43
PID 2696 wrote to memory of 1948	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	48
PID 2696 wrote to memory of 1948	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	48
PID 2696 wrote to memory of 1948	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	48
PID 2696 wrote to memory of 1948	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	48
PID 1948 wrote to memory of 2964	1948	explorer.exe	49
PID 1948 wrote to memory of 2964	1948	explorer.exe	49
PID 1948 wrote to memory of 2964	1948	explorer.exe	49
PID 1948 wrote to memory of 2964	1948	explorer.exe	49
PID 2964 wrote to memory of 1936	2964	explorer.exe	50
PID 2964 wrote to memory of 1936	2964	explorer.exe	50
PID 2964 wrote to memory of 1936	2964	explorer.exe	50
PID 2964 wrote to memory of 1936	2964	explorer.exe	50
PID 2696 wrote to memory of 2232	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	51
PID 2696 wrote to memory of 2232	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	51
PID 2696 wrote to memory of 2232	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	51
PID 2696 wrote to memory of 2232	2696	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	51
PID 1936 wrote to memory of 1888	1936	explorer.exe	55
PID 1936 wrote to memory of 1888	1936	explorer.exe	55
PID 1936 wrote to memory of 1888	1936	explorer.exe	55
PID 1936 wrote to memory of 1888	1936	explorer.exe	55
PID 1888 wrote to memory of 792	1888	explorer.exe	56
PID 1888 wrote to memory of 792	1888	explorer.exe	56
PID 1888 wrote to memory of 792	1888	explorer.exe	56
PID 1888 wrote to memory of 792	1888	explorer.exe	56
PID 792 wrote to memory of 2252	792	explorer.exe	57
PID 792 wrote to memory of 2252	792	explorer.exe	57
PID 792 wrote to memory of 2252	792	explorer.exe	57
PID 792 wrote to memory of 2252	792	explorer.exe	57

C:\Users\Admin\AppData\Local\Temp\1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
"C:\Users\Admin\AppData\Local\Temp\1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\arp.exe
  arp -a
  2⤵
  - Loads dropped DLL
  - Network Service Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- C:\Windows\SysWOW64\arp.exe
  arp -s 10.127.0.1 b8-d8-43-b3-57-8a
  2⤵
  - Loads dropped DLL
  - Network Service Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\SysWOW64\arp.exe
  arp -s 10.127.255.255 e6-86-1c-53-b5-ef
  2⤵
  - Loads dropped DLL
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\SysWOW64\arp.exe
  arp -s 136.243.69.123 7c-b4-5b-bd-f2-1b
  2⤵
  - Loads dropped DLL
  - Network Service Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.22 66-aa-d2-5c-05-5c
  2⤵
  - Loads dropped DLL
  - Network Service Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.251 58-1e-f5-98-2b-9c
  2⤵
  - Loads dropped DLL
  - Network Service Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.252 60-82-91-be-c4-3d
  2⤵
  - Loads dropped DLL
  - Network Service Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\SysWOW64\arp.exe
  arp -s 239.255.255.250 4b-10-f8-1f-74-e3
  2⤵
  - Loads dropped DLL
  - Network Service Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\SysWOW64\arp.exe
  arp -s 255.255.255.255 9b-9d-8e-b6-c2-c6
  2⤵
  - Loads dropped DLL
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
  C:\Windows\system32\hfroyyvmyb\explorer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
    C:\Windows\system32\hfroyyvmyb\explorer.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
      C:\Windows\system32\hfroyyvmyb\explorer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1936
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1888
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2672
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2412
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:996
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:3800
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        Enumerates connected drives
        Drops file in Program Files directory
        
        PID:3912
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        22⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        23⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        24⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        20⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        19⤵
        Enumerates connected drives
        
        PID:8836
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        18⤵
        Enumerates connected drives
        
        PID:7748
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        17⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        16⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:8084
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        15⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:5076
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        Drops file in Program Files directory
        
        PID:3516
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:6900
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:8504
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        Drops file in Program Files directory
        
        PID:3404
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        Drops file in System32 directory
        
        PID:7204
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:10112
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:492
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:3884
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:8920
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:10132
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:8648
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:7772
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:9212
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2104
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Executes dropped EXE
        
        PID:2428
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        Drops file in System32 directory
        
        PID:4744
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:8812
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        Drops file in System32 directory
        
        PID:7756
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:6768
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8280
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2264
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2884
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Executes dropped EXE
        
        PID:112
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Drops file in Program Files directory
        
        PID:2276
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:3904
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:1924
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        Enumerates connected drives
        
        PID:7788
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:10064
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        Enumerates connected drives
        
        PID:5856
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:8484
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2688
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2012
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1864
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Executes dropped EXE
        
        PID:1712
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Drops file in Program Files directory
        
        PID:3100
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        Drops file in Program Files directory
        
        PID:4164
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6984
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:6040
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6160
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:7304
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:8972
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1504
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2648
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Drops file in Program Files directory
        
        PID:2560
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        Drops file in System32 directory
        
        PID:7408
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:684
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:10316
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:6448
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:9864
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        8⤵
        Enumerates connected drives
        Drops file in Program Files directory
        
        PID:4404
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:8900
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2636
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1120
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:324
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:3576
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:2580
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:4644
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:5736
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:10252
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:10276
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6440
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        8⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        Drops file in Program Files directory
        
        PID:3672
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Drops file in System32 directory
        
        PID:4684
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:8244
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:10284
    - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2292
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:904
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1476
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:7700
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        Enumerates connected drives
        
        PID:9724
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        Enumerates connected drives
        
        PID:7672
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:6664
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:6612
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        8⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:6624
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:7860
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:10148
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:3136
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:9796
  - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
      C:\Windows\system32\wamhjvwiug\smss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1276
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2324
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2136
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:1608
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:476
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:3872
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:9940
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:10104
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6708
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:8332
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:6700
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        8⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6932
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:5536
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:8852
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:3504
    - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        5⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:1732
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        Drops file in System32 directory
        
        PID:3808
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Enumerates connected drives
        
        PID:3560
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:7148
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:10120
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        
        PID:8592
- - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
    C:\Windows\system32\wamhjvwiug\smss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
  - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
      C:\Windows\system32\hfroyyvmyb\explorer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:664
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1856
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1724
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        
        PID:948
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:2064
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Drops file in Program Files directory
        
        PID:3196
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:7212
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:8884
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        Drops file in System32 directory
        
        PID:8992
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6064
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:9460
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        8⤵
        
        PID:760
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:6816
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:9112
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Enumerates connected drives
        
        PID:4240
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:6152
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:9148
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:924
    - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        5⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:3232
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:5144
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:7868
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:2592
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:9072
  - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
      C:\Windows\system32\wamhjvwiug\smss.exe
      4⤵
      Enumerates connected drives
      PID:2948
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        Drops file in Program Files directory
        
        PID:3240
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:8844
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:4692
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        
        PID:8908
    - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        5⤵
        
        PID:8168
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        
        PID:7228
- C:\Windows\SysWOW64\arp.exe
  arp -d
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2232
- C:\Windows\SysWOW64\wamhjvwiug\smss.exe
  C:\Windows\system32\wamhjvwiug\smss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
    C:\Windows\system32\hfroyyvmyb\explorer.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
  - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
      C:\Windows\system32\hfroyyvmyb\explorer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2216
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        Executes dropped EXE
        
        PID:2544
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2564
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2680
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:4372
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:7340
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:8892
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:10244
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:9000
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        8⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6432
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:4188
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:8784
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:10292
    - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        5⤵
        Enumerates connected drives
        
        PID:3328
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        Drops file in Program Files directory
        
        PID:2076
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:9884
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:8220
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        
        PID:9056
  - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
      C:\Windows\system32\wamhjvwiug\smss.exe
      4⤵
      PID:3028
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        
        PID:3380
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        
        PID:936
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Drops file in Program Files directory
        
        PID:4484
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:5256
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:6308
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:10260
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        
        PID:9048
    - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        5⤵
        
        PID:7564
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        
        PID:9948
- - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
    C:\Windows\system32\wamhjvwiug\smss.exe
    3⤵
    - Executes dropped EXE
    PID:2332
  - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
      C:\Windows\system32\hfroyyvmyb\explorer.exe
      4⤵
      PID:988
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:3444
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:7076
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:10328
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:10308
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        
        PID:9064
    - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        5⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:8060
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        
        PID:10268
  - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
      C:\Windows\system32\wamhjvwiug\smss.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:7272
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        Enumerates connected drives
        
        PID:8928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe

Filesize
80KB

MD5
691bbe9926fb1e25fca69011ee582cda

SHA1
38aa194ead7afc4fb00c878dea4ac91a2fbb53ea

SHA256
a89de750c7600fa9ddc08bc8ae7d332bcc7a095a40ff7ee642d152432ca6a777

SHA512
6e48356a9106d02758d2ca551a6d387473f6091ff1d09a26fa70eb3667c959d4ba6e316e09aff3cf3e5708c12ccdcadf4a0aafdcfca33750f6320c8021175209

Download Submit
\??\c:\progra~1\common~1\system\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
72KB

MD5
0609f5fe5fee88412b62aacafc43aedc

SHA1
e36ebd88d34a8b9af2808eb156f108ffc30d6a26

SHA256
b2e599e330c75124b46da9091b2546acff6dddc56d0f21d20e1af892f3ac07d6

SHA512
63f2ce803eed240ea27fcbef2658645a654b157dc8b2c630719bbe16de109467b28de81179cc99625c074dec4b8aa1c473798bcf48a3b394c8ea0be9edecc2d0

Download Submit
memory/320-221-0x0000000000390000-0x00000000003E8000-memory.dmp

Filesize
352KB

Download
memory/320-187-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/320-203-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/320-205-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/320-207-0x0000000000390000-0x00000000003E8000-memory.dmp

Filesize
352KB

Download
memory/320-186-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/320-234-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/320-235-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/632-218-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/632-228-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/632-240-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/664-229-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/792-151-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/792-164-0x0000000000580000-0x00000000005D8000-memory.dmp

Filesize
352KB

Download
memory/792-142-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/792-123-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1276-224-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1276-243-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1276-247-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1688-181-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1688-154-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1688-183-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1688-155-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1864-12-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1864-10-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1888-144-0x0000000001D90000-0x0000000001DE8000-memory.dmp

Filesize
352KB

Download
memory/1888-129-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1888-104-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1888-134-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1888-120-0x0000000001D90000-0x0000000001DE8000-memory.dmp

Filesize
352KB

Download
memory/1908-169-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1908-193-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1908-194-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1936-85-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1936-83-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1936-122-0x0000000001D70000-0x0000000001DC8000-memory.dmp

Filesize
352KB

Download
memory/1936-246-0x0000000002B40000-0x0000000002B98000-memory.dmp

Filesize
352KB

Download
memory/1936-244-0x0000000002B40000-0x0000000002B98000-memory.dmp

Filesize
352KB

Download
memory/1936-100-0x0000000001D70000-0x0000000001DC8000-memory.dmp

Filesize
352KB

Download
memory/1936-112-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1936-103-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1948-70-0x0000000002740000-0x0000000002798000-memory.dmp

Filesize
352KB

Download
memory/1948-84-0x0000000002740000-0x0000000002798000-memory.dmp

Filesize
352KB

Download
memory/1948-60-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1948-69-0x0000000002740000-0x0000000002798000-memory.dmp

Filesize
352KB

Download
memory/1948-91-0x0000000002740000-0x0000000002798000-memory.dmp

Filesize
352KB

Download
memory/1948-63-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1948-230-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1948-74-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1948-132-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1948-76-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2192-43-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2192-25-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2216-239-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2216-237-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2232-87-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2252-153-0x0000000000560000-0x00000000005B8000-memory.dmp

Filesize
352KB

Download
memory/2252-172-0x0000000000560000-0x00000000005B8000-memory.dmp

Filesize
352KB

Download
memory/2252-159-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2252-180-0x0000000000560000-0x00000000005B8000-memory.dmp

Filesize
352KB

Download
memory/2252-166-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2252-138-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2284-33-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2284-14-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2324-40-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2324-24-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2484-227-0x0000000001DE0000-0x0000000001E38000-memory.dmp

Filesize
352KB

Download
memory/2484-219-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2484-217-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2484-206-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2696-201-0x0000000003A60000-0x0000000003AB8000-memory.dmp

Filesize
352KB

Download
memory/2696-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2696-4-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2696-222-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2696-62-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2696-56-0x00000000033C0000-0x0000000003418000-memory.dmp

Filesize
352KB

Download
memory/2696-182-0x0000000003A60000-0x0000000003AB8000-memory.dmp

Filesize
352KB

Download
memory/2696-90-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2696-128-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2696-171-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2696-59-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2696-58-0x00000000033C0000-0x0000000003418000-memory.dmp

Filesize
352KB

Download
memory/2704-39-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2704-22-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2716-20-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2716-37-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2752-31-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2752-29-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2768-21-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2768-35-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2780-208-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2780-196-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2780-238-0x00000000003A0000-0x00000000003F8000-memory.dmp

Filesize
352KB

Download
memory/2780-249-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2780-236-0x00000000003A0000-0x00000000003F8000-memory.dmp

Filesize
352KB

Download
memory/2780-212-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2780-250-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2804-225-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2804-226-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2804-209-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2812-41-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2812-28-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2964-260-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2964-96-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2964-245-0x0000000002B00000-0x0000000002B58000-memory.dmp

Filesize
352KB

Download
memory/2964-109-0x0000000000560000-0x00000000005B8000-memory.dmp

Filesize
352KB

Download
memory/2964-92-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2964-73-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2964-220-0x0000000002B00000-0x0000000002B58000-memory.dmp

Filesize
352KB

Download